Enabling Flexible Identifiers on your tenant has the potential to introduce breaking changes to your production environment. Test this feature thoroughly in a development environment and note your current connection settings before releasing it widely.
A Flexible Identifier is the attribute a user inputs on a login screen to authenticate themselves. You can choose from email, username, phone, or a combination of two or more.

Attribute and Identifier definitions

For this product, an Attribute is a piece of user data that can be stored, such as email, phone number, and username. All Identifiers are Attributes, but only specific attributes are Identifiers. An Identifier is a unique Attribute that recognizes a distinct user in a given connection. Email, phone, and username can uniquely identify an individual and serve as Identifiers, while other attributes contribute to the user’s profile without uniquely identifying a user.

Use Flexible Identifiers

Flexible Identifiers is for general access with the following limitations:
  • Flexible Identifiers, including the phone attribute, are only available with Universal Login and you must configure a phone provider.
  • You must configure Identifier First to use phone verification on signup.
  • The email address attribute must be enabled to use Adaptive MFA.
  • You must have email on the User Profile to use Signup invites for Organizations.
  • End users blocked under cannot unblock themselves via an SMS message. Other methods are available; to learn more, read Brute Force Protection.
  • Flexible Identifiers moves the identifier field to the first login screen and changes the reset password prompt from email to username.
  • OTP tokens for phone and email identifier verification have a lifetime of 900 seconds.

Issues using Flexible Identifiers

The following is a list of potential issues you may encounter while configuring and managing Flexible Identifiers:
  • If the scope phone is not specified in the authorization request by your application, you will not receive the phone_number claim. To learn more about scopes, read Scopes.
  • Your Get User custom database action script must be valid when Import Users to Auth0 is set to on. To learn more, read Configure Automatic Migration from Your Database.
  • Each user must be assigned a unique username, email address and phone number if Custom Database with Import Mode is set to on.
  • If you use the custom database action script Change Password and want to set email and email_verified to True, you must return the preferred email_verified state on the object. To learn more, read Change Password.
  • If you use a custom database connection with Import Users to Auth0 toggled off, you must align your user profile properties with the Auth0 normalized user profile. To learn more, read Normalized User Profile.
  • If you use a custom database connection with Import Users to Auth0 toggled on, Auth0 will check for uniqueness of phone_number and phone_verified.
  • Identifier First prompts display all identifiers on the first screen and remove your previous settings, and the Reset Password prompt will display the input field to Username instead of Email.
  • Familiarize yourself with best practices to avoid SMS Pumping attacks. To learn more, read our whitepaper on SMS Pumping.